5Network Traffic Analysis
Traffic Segmentation and Normalization
Network taps and mirrored switch ports allow the copying of select production traffic to isolated visibility subnets for inspection without impacting performance or availability. Virtual routing visually isolates the copy for tools. Normalization standardizes the payload data into uniform formats required for coherent analytics across diverse vendor devices. Taps and mirroring provide complete traffic feeds, unlike sample data. Virtual routing segments copy into dedicated virtual local area networks (VLANs) or cloud virtual private clouds (VPCs), isolating visibility from production without routing changes. This powers unconstrained monitoring without downtime risks (Rodriguez, 2014).
Normalization transforms raw traffic into consistent schemas for intrusion detection system (IDS) parsing. Vendors utilize proprietary payload formats, rendering correlation impossible. Converting heterogeneous events like authentication into standardized types and data fields enables unified analytics, machine learning (ML), and forensic queries across network sources.
Application and Protocol Profiling
Deep packet inspection (DPI) reconstructs complete application layer activities traversing networks, whether prohibited or authorized. For example, DPI reveals simple mail transfer protocol (SMTP) transactions and flags confidentiality violations. Analysts gain full protocol context, including headers, payloads, files, and certificates. ...
Get Open-Source Security Operations Center (SOC) now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
